csp策略

app/middleware/http_header.js

@@ -16,8 +16,7 @@ module.exports = options => {
         ctx.set('strict-transport-security', 'max-age=31536000; includeSubDomains; preload');
         //
         const csp = [
-            'default-src', `'self' 'unsafe-inline' https://*.smartcost.com.cn https://*.aliyuncs.com https://*.qq.com/ https://res.wx.qq.com/;`,
-            'img-src', `'self' data: blob: https://*.aliyuncs.com http://*.smartcost.com.cn;`,
+            'default-src', `'self' data: 'unsafe-inline' 'unsafe-eval' https://*.smartcost.com.cn https://*.aliyuncs.com https://*.qq.com/`,
         ];
         ctx.set('Content-Security-Policy', csp.join(' '));
         // IE8以上版本用户，在下载时，不显示打开选项

config/config.default.js

@@ -65,7 +65,7 @@ module.exports = appInfo => {
     config.pageSize = 15;
 
     // 中间件
-    config.middleware = ['httpHeader', 'gzip', 'urlParse', 'sortFilter', 'autoLogger', 'autoFinishLogger'];
+    config.middleware = ['gzip', 'urlParse', 'sortFilter', 'autoLogger', 'autoFinishLogger'];
 
     // session配置
     config.session = {

config/config.local.js

@@ -49,6 +49,9 @@ module.exports = appInfo => {
         key: '9b67989994f9def437ea68bb495f0162',
     };
 
+    // 中间件
+    config.middleware = ['httpHeader', 'gzip', 'urlParse', 'sortFilter', 'autoLogger', 'autoFinishLogger'];
+
     // 前端验证
     config.jsValidator = {
         client: {},

config/config.qa.js

@@ -31,6 +31,9 @@ module.exports = appInfo => {
     // 表名前缀
     config.tablePrefix = 'zh_';
 
+    // 中间件
+    config.middleware = ['httpHeader', 'gzip', 'urlParse', 'sortFilter', 'autoLogger', 'autoFinishLogger'];
+
     // redis设置
     config.redis = {
         client: {